Hacker News new | past | comments | ask | show | jobs | submit login
Equifax Stock Sales Are the Focus of U.S. Criminal Probe (bloomberg.com)
414 points by loeg on Sept 18, 2017 | hide | past | web | favorite | 190 comments

I'm re minded of when baseball was pulled infront of congress and players were questioned about steroid use.

There was one player Sammy Sosa who had for years conducted interviews in English who suddenly could not speak English when questioned by congress.

This seems to mirror whats going on at Equifax now. The executives only way of staying out of jail is to claim that they suddenly have no idea what's going on not only in their company but in the case of the IT people, also in the very division they are supposed to be running.....


Time for Matt Levine to update his rules of insider trading to add rule 11, if caught insider trading after a a security breach don't try and claim that you as a C Level executive don't know whats going on in your own company.

I have wondered if the SEC could finesse this by saying "Ok, you can stick with your 'I didn't know' defense and we'll drop the insider trading case but we'll require that the company separate you for cause and invalidate all post separation agreements." (aka the golden parachutes).

Since the benefits of such contracts often dwarfs the value they receive from trading it should help 'remind' them of what they did and didn't know. But they should not be allowed to have it both ways.

Invalidate golden parachutes due to proven incompetence/negligence? I'll take that :)

Though, I don't know if it's even gonna be an option on the table.

Never going to happen. Corporate boards are all stacked with C-level execs of other companies. These people went to the same business schools, socialize together, serve on boards together.

It's a small world where everyone knows one another and I rub your back so you rub mine.

A true meritocracy, in other words.

... and earn 7 figures annually.

If you testify to the SEC that you didn't manage you division well enough to even know that basic security was being handled appropriately, as a shareholder, can I sue you for negligence?

Cause it sounds like you're testifying that you're just not doing your job in any meaningful capacity, and I should be able to include that as a fact in a civil suit, since you swore in public record that it was the truth.

Forcing them to testify that they didn't fulfill their duties to the shareholders in order to not be responsible personally for the breaches may introduce enough liability all on its own.

Its probably far easier to organize with your other shareholders to get that person fired. Suing is an option but you should probably try what I suggested in the mean time.

You can sue anyone for anything in our legal system. It's just a matter whether you have the time and funds and a good case, of course.

Nobody ever asks if they can open a lawsuit against someone.

They ask if an opened suit can possibly succeed. That is what "can I sue" means colloquially, one hundred percent of the time.

I wouldn’t say 100%; maybe 99.9%

I think so? Doing bad things and then not informing shareholders about it tends to turn "these guys should be prosecuted" into securities fraud cases.

Nothing forces the accused to testify about anything.

Not exactly sure what you're driving at. If there's enough evidence that these guys knew despite their protestations to the contrary, it doesn't matter what they say. It's not like they need to confess to get convicted. And if there's not enough evidence, the SEC can't make companies fire its executives or revoke golden parachutes.

The point is that if they claim that they didn't know better, and that is to be taken at face value, then they're plainly not competent to hold their jobs.

So, if they testify that they knew - they're liable.

If they testify that they didn't know, and SEC can prove otherwise - same as above + perjury.

If they testify that they didn't know, and SEC cannot prove otherwise, then at least it is treated as them confirming their incompetence. So if they get, say, a bonus later, or a "golden parachute" for outstanding service on retirement, that is treated as evidence contradicting their claims.

When did the government get the authority to tell a company who they can hire and under what conditions?

Either there's enough evidence to convict those execs of crimes, or there isn't. If there's not sufficient evidence for that, then how can you suggest that the government should still have the authority to have them punished?

The US Government has always had that authority, the Government insists you only hire people who are allowed to work (by their rules) in the US, the Government insists you hire people without discrimination (regardless of how much you might want to), and the Government insists that when you hire someone you will will not exploit them in any number of ways. Further, the Government has given itself the authority to forfeit civil assets, whether or not they get a criminal conviction.

Clearly it doesn't apply to non US governments but the government of the United States has all of the tools already at their disposal to unilaterally implement just this sort of policy.

The policy question is a bit deeper than that, governing is ideally equal parts carrot and stick, and when there is clear evidence of a harm (and there is in this case) where it is impractical for the citizen to prosecute their own defense (could be debated either way) then the last line of defense for the citizen is the enforcement by their collectively empowered authority. That is perhaps the fundamental source of authority for any government.

You're saying that like all companies are just widget manufacturers and who cares whether they succeed or fail? But some companies make their money based on a public trust and if you turn out to be abusing that, the government should come down on you with the full weight and measure of their power. We've spent so long in the middle and upper-classes of the First World kneeling at the altar of Shareholder Value we don't see any difference between Someguy's Ditch Digging Service and Arsenic Baby Votamins, Inc.

"Ok, you can stick with your 'I didn't know' defense and we'll drop the insider trading case but we'll require that the company separate you for cause and invalidate all post separation agreements."

And a fine/penalty for not doing their job and putting so many lives at stake. They should literally be driven down to middle class mediocrity for their negligence.

There has to be some example set for future transgressions.

They need to go to prison and their company broken up.

I resonate with the sentiment but I expect taking away the golden parachutes of affected C level execs will go further to improving accountability than any amount of prison time will.

But who would ever take a C-level position then? Since they're the face of the company they're fired ceremoniously as a PR move whenever the something bad happens.

In my experience a lot of people would take the job believing that they wouldn't allow something like that to happen on their watch. That said, you do have a point about the added pressure. Much like the '3 strikes' rule in California, the unintended consequence might be even more egregious and illegal behavior in order to avoid losing their contractual exit commitments.

If you kill their company, other companies will stop reporting breaches.

Or maybe they'll report in a more timely manner. They knew for the entire month of August a breach had occurred and they didn't report it.

It shouldn't take more than a couple days. That's enough time to verify you had a problem and get a good picture of the extent. You might not have all the details nailed down, but you put out the information you know and say "We'll provide more details as they become available."

It seems unlikely that anyone would've cared. The big problem is that they lost everyone's SSNs. The timing around the reporting isn't really why their company is under the guillotine.

Whoever dismantles their company could try to frame it that way, but the rest of the industry will see through that. It won't be a good situation for us to be in.

I wish more folks would use this as an example for why it might be time for us as a society to move on from having identity security hinge on a 9-digit number and a few other pieces of "flimsy" information.

You mean like the Social Security Office advised when social security numbers were first assigned?

They can advise all they like. When a law gets passed that says private companies cannot refuse or degrade service to any consumer that refuses to disclose certain categories of information that are not directly relevant to the operation of the business with respect to that specific consumer, then I will believe that the government is serious about this.

Right now, a baker can refuse to sell you a cupcake if you won't tell them your SSN. Your electric company can refuse to sell you power if you don't tell them your SSN. The phone company can refuse to give you dial tone. They can even refuse to serve you if your SSN has too many fives in it, or not enough. The character of the SSN currently assigned to you is simply not a protected class for anti-discrimination purposes, even though the difficulty in changing it is somewhere between one's race and one's religion.

So if I as a business wanted to discriminate against a protected class, I could ask for the person’s SSN and refuse service when they don’t provide it?

No because judges are smart people and not easily tricked by games like that.

You would have to ask everyone for their SSN.

I agree, though it's not clear to me what we should use for identity security. Any piece of information related to a person is going to get out eventually.

If they had a requirement to report each breach promptly, we'd have known far sooner there was a problem there, and the pressure to improve security would have been higher. They have been leaking for years.

I'd argue factors that push such details out would overrule that worry. When there are three companies with the sort of power that credit ratings hold over people society is already suffering.

The people need to reign in the corporate interests of the world. Companies are already larger and more powerful than governments. People should be freaking out. This event just underscores that need.

So the goal here is similar to DMCA striking Pewdiepie: To use a legal measure against an entity you don't like because it's convenient.

That seems like a dangerous, slippery road with a lot of unintended side effects.

Individuals will always utilize the power granted to them in whatever way is most convenient to them.

This is why it's important we not allow laws to be passed with the assumption that overly broad permission grants are OK, because they'll only be used 'correctly'.

How do you cover up a leak on this scale without being criminally liable (assuming public company)?

White collar crime is difficult to prosecute. If you give people the choice between the certainty of losing millions of dollars and the somewhat remote possibility of prison, they may not make the right choice.

Perhaps we should be paying much higher rewards to whistleblowers, then.

If they fess up to insider trading do they get to keep their golden parachute? If not they wouldn't really have any more incentive to be cooperative.

No. Jail + fine >= golden parachute.

> There was one player Sammy Sosa who had for years conducted interviews in English who suddenly could not speak English when questioned by congress.

Do you know how stressful it is being questioned? I was waiting to pick someone up from a train station in Spain when security approached to tell me the station had closed, and why was I still there. All the Spanish went out my head. I imagine being questioned by congressional investigators is probably even more stressful.

Sometimes people's lawyers will also advise them not to accept being questioned in a foreign language even if they're relatively fluent because small language nuances may make a big difference in legal proceedings. I've given lectures and press interviews in Portuguese before, but if I were giving an oral deposition in a Brazilian court case or being questioned by police, I would ask for an interpreter.

I was once on a jury in California in a case where several witnesses gave testimony through a Spanish interpreter. It seemed clear that some of the witnesses who testified through the interpreter were fluent in English, and so it seemed a little gratuitous to me at the time. Later on I understood that it made sense both for reducing the stress in the situation and for avoiding any minor linguistic misunderstandings in cross-examination that a lawyer might try to make a big deal out of. It's quite possible that the lawyers encouraged their witnesses to use the interpreter.

I am fluent in English. I have been for many years. But until a couple months ago, I thought throw in throwing a game was similar to throwing a party. One is a fun activity, the other could be a criminal offence. If I were being questioned in a court, I would definitely request an interpreter. I wouldn't want to inadvertently confess to a crime I didn't commit because I didn't quite understand the linguistic nuances of the question.

Aren't you worried about your story not quite coming through because you're speaking through someone else?

Well, being fluent/conversational means you can still hear what words the translator chooses, and can verify it means what you meant. It's just that their word choice would be more precise.

You would lose so much nuance. And I dont think you are in a position to verify anything since you claim not to speak the language.

It sounds like a bad idea all around.

I wouldn't pretend I don't speak the language. I would simply request to have an interpreter present similar to how I would request a lawyer. I would check with my lawyer to see if I have the right to an interpreter. If I do, I would absolutely use it.

I'm more concerned that the persecution, understanding how stressful the situation is for me and how not being a native speaker I wouldn't necessarily be familiar with legalese or very formal lexicon, uses it against me to extract a confession due to my confusion, than I am that the nuances would be lost through an interpreter.

If you were a professional baseball player, you'd now what "throwing a game" was.

The problem is I don't know what I don't know, and I wouldn't want to risk finding it out in a court. I would never take that chance with my freedom. It's one of those cases where what is the worst thing that could happen can be quite bad.

I'm an American in Germany, and I speak German with the immigration office (want them to see how hard I'm trying).

I speak English with the police, even for trivial things where I'm the one requesting service, like when I lost my wallet. That is not a context where I want to get anything wrong, and where there is absolutely nothing to be gained from showing off what I learned in language class.

Good point. Fortunately he had the foresight to bring an attorney along to testify on his behalf. And an artfully worded statement that avoided a perjury charge, as he did not 'inject' anything -- the trainer's drug of choice was available as a tablet after all.

You know what, I actually hadn't' thought about it and I think you make a very good point.

Though to be fair, the Sammy Sosa anecdote was more for humor than anything else. Oddly it turned into a comment that got 50 upvotes.

I appreciate the response, I think you've flipped my thinking on this:)

Matt Levine has already stated that this won't result in a new rule; that there is nothing new here and everything falls under rule #1: "don't insider trade"

He also said this (which, scanning through this thread, appears to be a rare voice of reason):

> Also, though, I found it hard to imagine that those Equifax executives were consciously insider trading. It would just be too dumb. Equifax's press release reporting the breach says that it "discovered the unauthorized access on July 29 of this year and acted immediately to stop the intrusion," though it didn't announce it until yesterday because it was still investigating. The three executives filed Form 4s reporting sales on Aug. 1 and 2, days after the discovery. You could just about imagine them learning of the security breach, panicking, and selling everything -- except that they didn't sell everything. One sold about 4 percent of his stock holdings, another about 9 percent, another about 13 percent. Why do such comically obvious insider trading if you're only selling a small percentage of your stock? And indeed the company explained that these executives "had no knowledge that an intrusion had occurred at the time." I guess the time between "tech person discovers a security breach" and "top executives discover it's a huge embarrassing crisis" is more than a couple of days.

> I guess the time between "tech person discovers a security breach" and "top executives discover it's a huge embarrassing crisis" is more than a couple of days.

That's exactly right. I can imagine the gradual motion up the chain of command, with the progress actually slowing down as the size of the breach and potential exposure becomes more and more apparent, and each level trying to minimize the damage. I'd have hated to be the guy that had to tell the CEO...

Silicon Valley did it best, and it's funny because it's true: https://www.youtube.com/watch?v=ddTbNKWw7Zs

C-levels aren't notified of anything until there are concrete details to share. They don't want to be notified of every port scan or bruteforce attempt, nor do they want to deal with the scope of a confirmed breach changing on a daily basis ("yesterday you told me only N consumers were compromised, now you're telling me it's worse?!")-- a bad situation that gets reported as worse and worse every day is great for Fox News, but bad for shareholder confidence.

It's better for them that they don't know anything until they know everything.

"The guy that had to tell the CEO" (actually woman) was one of the two parties who resigned the other day.

Depends on the industry. Companies in certain highly-regulated industries are required to escalate even a minor breach of security ("We think something could possibly have happened, but there' no evidence anything did.") to C-level ASAP. One place I worked, if a breach was discovered by a janitor should make it to the C's within 24 hours or everyone in-between would be reprimanded, if not sacked.

But that was a very specific (and again, regulated) industry.

Owen Davis of Dealbreaker is skeptical:

When did the company learn of this incident? "We learned of the incident on July 29, 2017, and acted immediately to stop the intrusion and conduct a forensic review."

The trades in question took place between three and four days later. During this time, Equifax would have us believe, these three senior managers were kept in the dark about the fact that hackers had undertaken what may be the largest-ever private security breach right under their noses. Moreover, we’re to understand that even the chief financial officer remained unaware as the company “acted immediately” to right the ship.


> Why do such comically obvious insider trading if you're only selling a small percentage of your stock?

Because then it makes it look innocuous and fools those who would scrutinize the behavior, like it did may have for anyone expressing the above opinion. It would be so blindingly damning to sell-off all of one's holdings, but selling off a small portion could allow for partial benefit of your asset at peak value before it declines.

If it were me, I'd do it exactly this way. I'd be trying to find the perfect intersection of mitigating the upcoming asset value decline and maximizing perceived innocuousness. Selling everything? That'd be a sucker's move.

The point is you're still going to be investigated, and it's not going to be fun, and probably not going to be worth the relative small gain you'll make even on the off chance you manage to get away with it. [That said, if it's me, I'm making a point of disclosing all future stock sales well in advance just to make sure this kind of thing can't come back to bite me.]

But they've spent their careers building up layers of untouchable-it is, and assuming since nothings bitten them before, they can do what they want... what's a minor investigation when you can grab a few mil? And get the probes quashed by just mentioning in a closed hearing how many SEC officials and congresspeople were involved in the breach, or maybe they weren't? Hard to figure out when I'm spending so much time in these hearings...

(I hate myself for having written that but ugh Too damn much tit-for-tat.)

This assumes none of them traded in the options market. An open question is who made the highly irregular $4.2M trade with such foresight.

It is indeed a puzzle, but not yet an exoneration.

Where is his list of rules? Sounds like a fun read but can't find anything on Google.

Here's the most recent run-down with links to where the Laws are established: https://www.bloomberg.com/view/articles/2017-07-13/main-stre...

Anyone got a link?

> I think we are up to the Seventh Law of Insider Trading. The first six are: (1) don't do it, (2) don't do it by buying short-dated out-of-the-money call options on undisclosed merger targets, (3) don't text or email about it, (4) don't do it in your mother's account, (5) don't do it by planting bombs at a company and shorting its stock, and (6) don't do it while employed at the Securities and Exchange Commission. I hereby declare the Seventh Law: (7) If you are going to insider trade, don't Google "how to insider trade without getting caught" before or after you trade.


In any company of significant size, there is an approval process for trading in own company stock precisely to capture this scenario, where an employee may not be aware of a price moving event. I am not suggesting that they knew or didn't when they traded. Just that if they didn't it's a pretty massive failure in their procedure that would need an investigation on its own.

I might conduct interviews in a second language, but I would certainly not testify under oath in a second language.

Samsung's heir and acting chairman, Lee Jae-yong, attempt the same approach in the S. Korea bribery scandal. Pleading ignorance didn't work out so well for him. I foresee the same here. You cannot be at that level within a corporation and dismiss all accountability.

Matt Levine already opined on this case, and his take was that nobody would be stupid enough to commit such an obvious crime for the rather low monetary advantage they got from selling a minor fraction of their shares (I believe it was around 4% of their respective stocks in Equifax).

Matt Levine actually wrote about this already and suggested that it's not likely to be insider trading. Buried in the details (according to him) is that these guys moved like <5% of their stock.

Depending on the charge and the defendants' jobs at Equifax, a standard of conduct that could be applied is "knew, or should have known".

Interesting comparison.

I think in this case the execs are going down. I will be shocked if we don't see some jail time after this is all done.

I envy your optimism. Consider me thoroughly carborundum'd by the illegetimi

Perhaps they were just cashing in options that matured.

Perhaps, but their defense isn't what will be investigated. First they will collect and sift through all the evidence before even asking why they might have sold the stock at that point in time.

What charges?

The executives only way of staying out of jail is to claim that they suddenly have no idea what's going on

Hire a lawyer, no interviews with the FBI, but "me know nothing" might be a problem if they got memos on the breach, attended meetings, drew up plans on dealing with the fallout etc. It's hard to keep such a secret, especially from the top level execs.

What are the odds this doesn't just end in fines? What are the odds of C levels facing a custodial sentence?

> ... its president of U.S. information solutions, Joseph Loughran;...

> ... discovered a security breach on July 29...

> ... sold shares worth almost $1.8 million in early August...

> ... didn’t know of the breach at the time

You're the president of U.S. information solutions and you didn't know about the largest information breach in your company's history a week later?

If that's true, that speaks more to the problems in this company than the actual breach itself.

FYI the "President of US Information Solutions" at Equifax is a role that has nothing to do with their IT/security department. It's not the same thing as the CIO or head of IT, as many people are confusing him for. He's the head of a product line which is called "information solutions". The head of IT/CIO is a completely different person (who has since been fired/resigned).

This is a good clarification, but the guy shoudn't be absolved in either case. Here's the description of his duties from their website:

> Trey Loughran leads the company’s United States Information Solutions (USIS) business, which includes U.S.-based services that provide businesses with consumer and commercial information and insights related to areas of risk management, identity and fraud, marketing and other industry-specific solutions.

He would definitely be in the loop regarding a breach of this nature.

I don't necessarily think so. Just because he manages the risk management offering which is sold to other companies doesn't mean he would be aware of or involved in day-to-day risk management at his own company.

At my consulting firm, the execs in charge of our cybersecurity consulting practice are absolutely not involved in any internal cybersec investigations that happen to our own firm. In fact, we have specific procedures which say that our cybersecurity consultants cannot be involved with internal incidents. All internal investigations have to be done by outside, impartial firms.

Ah, a very good point. I'll give him a little bit more benefit of the doubt if that's the case. The FBI might not, mind you.

I'm not interested in giving the benefit of the doubt to a C-suite executive who cashes out about a week after the company suffers one of the most newsworthy data breaches in recent history. To my mind, they are in exactly the right position to know about this sort of thing.

For sure, an investigation will be forthcoming and, in this country, one is innocent until proven guilty. But it seems, in my opinion, exceedingly likely that we'll find an email or text or some bit of ephemera notifying these people of the breach.

If not, well, I will eat my hat.

Have you worked at a BigCo or know what it's like to be in senior leadership? I would not be surprised in the least if this guy had no clue about the hack. These organizations are huge. People are actually very tight lipped when these things happen. You are/should be told not to speak about it even with your peers.

I also wouldn't be surprised if he did know, but just wanted to emphasize these BigCo org charts tend to be insanely big and complicated. At the senior levels you may not talk to or see your boss for weeks; especially when some big shit like this is being uncovered. So totally possible he knew nothing.

Just a friendly reminder that due process is a thing in the US. Let's allow some time for the texts, emails, testimony, etc. to come out.

Everyone seems to have reached conclusions about this on very suspicious circumstances, but almost zero facts.

Due process for punishment applied from public gov't bodies. However, people can and will reach conclusions based on the evidence laid before to make their judgements to whether be Equifax customers or not.

I realize this may seem like mob-mentality or mob-rule but there's some nuance here. When you see such gross negligence do you wait until hearings and court judgements which can easily take years before voting with your wallet?

Individual consumers did not choose to be Equifax customers, and as far as I know there is no way for me to "opt out" and effectively have all of my data removed from Equifax (including all future data).

The terms and conditions of any loan, credit card, or other credit account include a release or disclosure that covers reporting the account and payment history to credit reporting agencies. So technically, we did "opt-in" when we accepted credit.

The way to "opt-out" is to never use credit.

That's not really fair though, as credit is only one facet of the data they collect on you.

In most of the US it's against code to live in an apartment without electricity. In order to get electricity, you have to open an account with a utility, who opts-in to submit all your data to Equifax.

Their Workforce Solutions division does the same thing with employment data-- so simply by applying for a job from a participating employer, you're consenting to ultimately let the employer report that you work for them, what your current salary is, your SSN and all the rest of the juicy PII.

Fall on hard times? Need some government assistance? Applying for food stamps will also result in your state agency making an inquiry with Equifax to confirm your location of residence and last reported income. If you didn't have a profile before, you do now.

There is no way to opt out unless you work for yourself, live in a home you paid cash for, generate your own power/gas, and never use credit. So basically Unabomber life.

Well I didn't say it was fair or even reasonable. Just what is. There are stories of people who have trouble getting credit or renting an apartment, etc. because they have never had credit before and therefore have no credit report. So it seems that the reporting agencies don't know about people who don't use credit or any other services that report.

This kind of contractual oligopoly should be explicitly disallowed. It's exactly the kind of place regulation should step in, much like it has with anti-competitive non-competes, forced-arbitration clauses, and IP-creator protections in some states.

Asking for a loan or credit is the quickest route into these credit rating agency's databases. But their goal is to catalog and rate everyone, so you eventually get in there whether you ask for money or not.

True. Small comfort, but if you're a purchaser of credit rating data, you may have some flexibility in who you purchase from.

Won't make much difference in this new world of "assume that SSN is compromised, now what do you use?"

I'm already trying to figure out how to push locally for dropping SSNs from processes, no matter how Sisyphean it feels.

Yep. They're more of a defacto government than a corporation at this point.

Nope, I don't wait for courts when I think I have enough info to form my own opinion. I'm just as outraged about the Equifax breach as anyone else, and would never do business with them in any way. The key is, there's more evidence every day of negligence: the obvious authentication issues on their site, the "SSN API", the 4+ months that they didn't install the Apache security update, etc.

For me personally, the trading issue is a related but separate incident; one hasn't crossed the same threshold of clear evidence.

No. There's no question that the breach happened; Equifax disclosed it. Who knew what, and when, and whether any stock sales were illegal, are matters for due process. Outrage over the breach itself and the clear negligence that caused it is a separate issue.

Due process is important but there's a norm of competency for executives at a publicly traded company and there's a legal theory called "constructive knowledge" that asserts managers at a company are presumed to know what their underlings know. Together, these are very damning for the executives who traded after the security breach.

Prejudging their guilt isn't favorable and we should avoid doing it as a commitment to our legal system but people would have to ignore their eyes to come to the conclusion that this isn't what it looks like.

I'll probably be sorry for this, but... why doesn't this same standard apply in the political sphere?

A few years back, it seemed that a huge number of people were willing to give President Obama, and even Lois Lerner, a pass on illegal actions of the IRS based on exactly this theory: it's the responsibility of the manager to know what their underlings are doing.

And I don't mean to pick on just Obama. Ronald Reagan, patron saint of the GOP, skated on just such a thing with Iran-Contra. They got Oliver North to be a scapegoat and insulate Reagan and Bush.

So if you're wanting blood from the Equifax execs, think about who you've given a free pass to before.

shockingly, the people who write the rules didn't really write them for easy application to the political class.

Constructive knowledge really only holds in corporations (and I'm not an attorney but I think it holds in organized crime organizations as well). And it was enhanced with Sarbanes Oxley which was passed in the early-2000s.

Also, I'm under the impression that federal prosecutors appear very reluctant to actually use it in court and where they do use it, they usually have more direct evidence of wrong doing. However, I get the sense that prosecutors know it exists and the Justice Department under Obama did use it to extract those massive fines from banks (albeit with no admission of wrong doing, a get out of jail free card for the criminals in the firm, and the firms that retained Eric Holder's law firm seemed to get more favorable settlements).

I'd argue that the size of equifax and its impact on everyone's lives pushes the matter beyond simple constructs of the legal system. I don't have an option to not do business with them so they shouldn't have any excuses.

There's a German jurist by the name of Carl Schmitt who would have some interesting things to say about the matter.

Due process is a legal concept, and fundamentally, a restriction on the state (for very good reasons). I think it's fine for commenters on an internet board to use P(crime was committed|shady trading patterns) > 0.5.

True, but from what we do know, a full investigation is warranted.

There's a pretty big difference between "a full investigation is warranted" (what you said - totally accurate) and "they should go to JAIL!!1" (much of this thread).

Definitely - the "very suspicious circumstances" part makes sure of that.

Well, I, personally, am not the US court system, and am free to draw whatever conclusions I like by whatever standard.

Zero facts? The fact is that 3 people sold between the company finding out and the public finding out. In fact, there is only one fact missing which is evidence that they knew of the breach.

Wouldn't it be more accurate to say that we have n-1 facts? (or n-3, one for each person)

I think the more interesting issue is the 2600 put options at $135 that were purchased on Aug 21:


I wonder if the 2600 number is significant or just a coincidence.

Wouldn't it be a better crime (more profit, easier to get away with) to use the hack to manipulate a company's stock then try to sell all the person data for pennies per GB?

That's pretty suspicious trade. The trader shelled out 150k in cost of options.

Equifax's Q2 earning report came out after hours on Wednesday, July 26:


with an investor conference call on the morning of Thursday, July 27.

Any public company I've worked at has had a trading window that opened a day or two after an earnings report came out, with most people who want to trade trading early in that window. Admittedly I've never been an executive and I don't know how the rules differ for execs, but the dates when these trades took place are when I would expect Equifax employees to execute options and sell stock.

It also strikes me as possible that information about a security breach discovered on the weekend might not make its way up the company hierarchy for a few days, and that execs might not have been aware of it when they traded.

I do think this should be investigated by the SEC, but I'm a little disappointed at the rush-to-judgement in this thread.

Right. I also seem to recall the internet hive mind researching this when the story broke, and those same executives had been selling for months on a particular schedule and these trades were right in line with that schedule, and they still held significant stock in the company. Can't seem to find ATM though...

In many companies, if they don't have a CTO, the IT division reports to the CFO. Is that the case here? If so, hard to believe he didn't know about the breach very soon after discovery.

They had a CISO as well as a CIO. Both have been fired/resigned now, though.

CSO, not CISO.

I mean, on one hand, I wouldn't want this to go unnoticed and unpunished, but on the other, I'd rather that the feds be more focused on the actual breach part of things.

Then again, was any part of the breach actually criminally negligent? Maybe this is the only real way that the DoJ even can go after Equifax...

Hopefully they can do BOTH.

Most security standards are voluntary right? Based more on market pressure than regulation. It looks like the Fed is considering a set of regulations for large banking entities, which I assume Equifax would be a part of, but AFAIK the existing regulations aren't very robust and haven't been updated in recent years.

Is there anything the government has in regards to the storage of SSN? It could be regarded that the SSN is property of the Federal Government, i.e. the SSN Administration. Is there anything where they may have breached federal standards for storing federally owned data?

Edit: for example, there is the fedramp set of compliance rules.

Can someone own a set of numbers? I assumed that they were assigned and not owned, however that could just be semantics.

The ABA claims ownership of all banks' routing numbers, but that has yet to be validated in any meaningful capacity.


There are even "illegal" numbers.

Being surprised or upset that there are "illegal numbers" is like being upset that there are illegal configurations of matter and energy. "It's not murder, it's just a configuration of atoms!" doesn't fly.

If you believe the universe is discrete, this becomes stronger than a mere analogy - configurations of matter and energy are in fact numbers.

Why would the SEC/DOJ financial fraud resources be spent on the security breach?

We've got the FBI and other law enforcement agencies for that aspect, not that I'm optimistic that anyone will really be held accountable.

From the limited descriptions I've read of the architecture of the Equifax system, someone needs to go to prison.

Someone in Equifax was made aware of the breach on July 29, 2017. It defies common sense that the chief officers of the company did not learn of it until the same time as the general public, over a month later.

I don't believe there's any claim that they didn't learn of it until the public announcement, only that they didn't know of it at the time of the stock sale which was on Aug 1st, only a few days after the breach was "discovered".

Now, based on my experience, it's entirely possible that the July 29th "discovery" date only refers to the date on which some security analyst noticed abnormal behavior. That, combined with the possibility that Equifax doesn't have good security communication practices in place, it easily could have been a few days (or even weeks) before the security team looked into it enough to know the size of the breach and escalated it up to the C-suite.

In the United States, insider trading is not a crime of a specific statute. Instead, it's charged as a breach of fiduciary obligation [1].

Whether the executives in question knew of the breach at the time they sold is irrelevant to whether the company, in allowing this sale to occur, misled the investors who bought those shares since the company, at the time of the sale, had awareness of the breach.

[1] https://www.sec.gov/fast-answers/answersinsiderhtm.html

Disclaimer: I am not a lawyer. This is not legal advice. Do not ever insider trade.

What’s even more disgusting is that behind the public’s back all of these guys brag about this sort of behavior.

I was reading a book published in 2008 called “Zero Day Threat: The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity”.

The main bad guy lobbyist of that book, Eric Ellman, who is now the head of the credit reporting lobbyist group (http://www.cdiaonline.org), PROUDLY DISPLAYS his portrayal in that book on his LinkedIn.


He basically doxxed himself.

That website you linked says it’s goal is to “educate consumers”.

How can anyone believe this bullshit anymore. That website was out of date by 1996. It looks so bad. They don’t care at all.

In the timeline of events that Equifax released [1] it says that they took the web app down on July 30 and contacted an external cybersecurity firm on August 2nd. The managers unloaded their stock from 7/31 to 8/2.

It doesn't sound believable to me that the managers could be unaware of the hiring of an external security firm, or that the company had shut down one of their major web applications.

[1] https://investor.equifax.com/news-and-events/news/2017/09-15...

None of the managers had anything to do with or were in the chain of command of the security team, so it's entirely possible they had absolutely no idea about the breach until long after 8/2.

The CFO is the one that is a little iffy, because the CFO might be involved in the hiring of the external firm. However, having worked for security consulting firms, it's also entirely possible that the CISO is given a blank check for this type of stuff without having to get CFO approval. I've worked in plenty of organizations doing cybersecurity work where the C-suite (including CIO, CFO, etc) was completely unaware we are there because they don't have to rubber stamp every single transaction.

It's also a possibility that the 8/2 date on which they "contacted" the firm was just when discussions started between the two parties, and it might have been a few days before a contract was ironed out enough to involve the CFO or anyone else.

There's a bunch of other possibilities/scenarios in which I think it's entirely believable that they didn't know. It's shady and worthy of investigation, yes, but I'm not willing to convict them just yet.

Perhaps if these guys get nailed then companies will start to see the value of disclosing security breaches in a timely manner instead of sitting on them for months while they spin up the PR machine.

Having worked on the incident response teams for these types of breaches, the "PR machine" is only part of the reason why companies "sit" on the info. It also takes a long time to do investigations on the breach to know what was stolen, how much was stolen, and how to mitigate it. The FBI also gets involved in breaches like this, and sometimes they'll ask to put off announcing the breach while they do their investigation of it as well.

It doesn't do anyone any good if you release a statement as soon as you notice abnormal behavior that just says "we might have been breached and our customers may be affected, but we don't know who is affected and we don't know how it affects them yet".

If "securities violations" is the only legal jeopardy Equifax executives are subject, we are truly screwed.

The US needs a DPA, or at least its residents do. The government couldn't care less.

Federal officer: "Why did you sell the stock?"

Equifax officer: "uh.."

They will scrape through all their texts, emails, call logs. Someone will screw up somewhere. If they are dumb enough to provide a "SSN API" - I am sure their texts are a hilarious treasure trove. An easy slam dunk case.

> Federal officer: "Why did you sell the stock?"

> Equifax officer: "uh.."

- "To buy a vacation home...".

- "But why now?"

- "Prices are going up so seemed right to jump in"

The question can they reasonably refute that they didn't hear anything about the breach. If it has to be proven beyond reasonable doubt the lawyers might think they can convince a jury. They could say they were on vacation maybe and didn't receive any communication about. It is just that their cousin happens to be the college buddy of another exec but that might be tricky to prove.

I get your point, but there's also "reasonable doubt", which often is conflated to "beyond any doubt", which is not the standard.

I realize they're examples, but if there really is a high index of suspicion...

"So which realtor have you been working with? Presumably your browser history will show hits to real estate sites, too..."

"Vacation? Very nice. I'm sure you have boarding passes or credit card receipts from hotels..."

"I didn't want to tie up too much net worth in company stock and the stock had appreciated to a point I was willing to sell it."

Maybe not too believable but to suggest they would have no answer at all is a bit naive.

But there's already 'planned sales' forms for this sort of thing and well, I hear these weren't.

How do these execs not have 10b5-1 plans set up?! Many companies require them for all senior managers.


They're very much more likely to face consequences from the stock sales than they are to face any sort of 'negligence' charges due to their security practices, sadly. If Toyota got acquitted in their 'unintended acceleration' criminal negligence case, no one can ever be penalized for it. Toyota was exceptionally egregious in their negligence, even worse than most companies are as part of their daily practices. Their developers didn't even have access to a bug tracker. So whatever Equifax was doing, the courts will just look at it and do what they always do, say 'huh... computers, huh? NOBODY knows how they work. Acquitted!'


Maybe because I don't work at a "pure" tech company, but a few coworkers have commented that they had to sign up for credit protection with sort of a shrug attitude. They don't realize how negligent Equifax was here or what the impact is going to be for the rest of their lives.

Congress and the various regulatory bodies will take their pound of flesh. The CEO/Chairman will keep his job. Maybe MAYBE the President of USIS and/or the CFO go to jail for insider trading.

On the surface the security folks don't have great credentials...I kind of wonder if the CEO chose his subordinates specifically to take the hit in a data breach situation like this.

> I kind of wonder if the CEO chose his subordinates specifically to take the hit in a data breach situation like this.

^ This! They sure have shuffled the CIO and CISO out of the conversation quickly.

I'm sure you can be a perfectly competent CISO with two degrees in music composition and ten years experience, but they sure don't want us to hear about it if we haven't already.

I've been through an acquisition before and promoted and put into the position of "potential fall guy" where my name went on official documents, and there wasn't a budget for more people or things we needed. If we lost medical records to hackers, I'd expect to answer some uncomfortable questions!

But they are actively erasing information about these people from the internet, when lots of us want to have a closer look.

What happened to failure as a learning experience? Retired effective immediately? Come on, those two people will never make that same mistake again!

The article itself doesn't make it clear how they will determine whether or not its insider trading or just a coincidence.

Also, if there was a "bad vibe" at the company, but they didn't specifically know about the breach, would that be insider trading?

As with any insider trading case, they just need to prove access to the information. So either a witness needs to come forward and say "I told X to Y executive" or they need email/phone records which prove that such information was shared with these individuals.

Unlike crimes like murder, insider trading is not predicated on intent, so proving intent is unnecessary.

Interesting. In that case, isn't all trading, given you work for an employer, "insider trading." If you see a bug opened on your company's GitHub and think it's crucial and sell all of your stock that's insider trading right?

IANAL but I believe that the spirit of the law being that insider trading is when you use confidential/privileged information to decide your trades. In this case IF they knew about the breach and made trades before a public announcement then that is insider trading. As for github bug report, that seems like a legal gray area.

Did you choose GitHub because (most) repositories there are public? If that's the question, I'm pretty sure it wouldn't be insider trading, because by definition it wasn't inside knowledge.

(Unless it required other, non-public data to know that the bug was important)

Not addressed in the article: whether the SEC thinks the suspicious trading in Equifax options[1] is at all related to this investigation. People say "well, $1.8M isn't that much given how much stock they hold"; yes, but, if they were trading options as well then it becomes serious money: the profit on the suspicious options trade was $4.2M.

[1]: https://www.cnbc.com/2017/09/08/suspect-trading-in-equifax-o...

I'm always perplexed by people's motivations for advancing that argument. The notion that the criminality of your actions depends on whether or not you're already wealthy (other facts not being in dispute) seems like the essence of corruption.

Not a popular opinion, but should insider trading be legal?

It seems to create a false sense of security, that people inside the company aren't going to do bad things. Many people have made their fortunes on some degree of insider trading that they wouldn't have made otherwise.

Wouldn't the markets be more efficient without this mirage?

No–legalising insider trading would destroy the market, because anybody not in a position to have insider knowledge would be at a severe disadvantage so as to make the expected return of investing negative.

An analogy: It'd be like playing online chess for money, without any way to stop your opponent from using a computer to make their moves. Or like the Olympics where some people are allowed to use performance enhancing drugs.

After a very short time, most everyone will have left the market.

There's also no more reason to legalise insider trading than murder or burglary. The prevalence is very likely to be at an all-time low currently, because the statistical methods used to spot insider trading in market data have improved dramatically. Some quant funds also flag suspicious trades as a sort of by-product of their work and share that data with the authorities.

> Not a popular opinion, but should insider trading be legal?

Isn't this legal for members of the United States Congress? I can't recall the specifics, but seem to remember some special exemption for them from insider trading rules.

Well congress itself seems to do abnormally well on their stock portfolio. They have some absurd return beating the indices by a wide margin. http://www.huffingtonpost.com/2011/05/24/members-of-congress...

Yes, members of Congress are not prohibited from making stock trades based on information they learn in their role as a Congressional rep. This includes not just routine and public hearings, but also closed and secret/classified hearings.

I don't know nearly as much about stock as most people on this site, so bear with me because I have a potentially dumb question.

I agree that the timing of these sales looks really bad. However, I've heard that these guys are executives with an enormous amount of stock and the sales were for a small percentage of their overall stake. If they were intentionally breaking the law to avoid losses, wouldn't they sell all or most if it? Was most of their stock not vested and they just dumped what already vested? Or is the claim that it was a small percentage of their stock not true?

It's not as if there's an amount X you can sell less of where it's totally fine, but if you go over, you're in trouble. Nobody would be dumb enough to sell their entire position, but at the same time, if you did have insider knowledge, you wouldn't want to have all your position tank. So what do you do? You could go a little bit in the middle and claim ignorance. Trading based off of insider knowledge is illegal regardless of the amount of trades, but in practice obviously the government only chases after egregious cases.

I think the idea of the question is, if you're talking about the difference between losing 50% of your value (doing nothing), and losing 49% of your value (making a small illegal trade), would it make sense to expose yourself to criminal liability for that 1%, even if that 1% represents a lot of money in absolute terms?

> looking into what executives knew

Since it is a criminal probe the prosecutor would have to prove beyond reasonable doubt they knew? It would seem the executives who believed they could officially refute seeing the information would have done this. Some might have contacted their lawyer maybe and asked "ok so I overheard it in the hallway as I was leaving on vacation, didn't open my email or get any calls about it, what do you think, could I slide by and sell".

In general what is the conviction rate for insider trading. It seems in general a hard thing to prove.

Note that, as others have said, these executive only sold 4% and 17% of their holdings, respectively. It seems rather unlikely that they would risk so much for a rather negligible profit.

Regarding your question: insider trading is pretty well-policed. Conviction rate isn't really meaningful (but I'd estimate it's well above 3/4). What would be interesting is the rate of discovery, which is unfortunately impossible to know, because it's a "victimless" crime: nobody knows they've been harmed, and therefore it's impossible to find instances of insider trading without (usually) also finding the culprits.

But it's a pretty good guess that prosecution of insider trading is better today than it has ever been. Because all data is now available in digital form and can be sifted through with all sorts of advanced statistics/machine learning/etc. There's really no escape from this dragnet, because there's no way to trade without those trades showing up in the data. It's only after suspicious trades are discovered that they start following the money.

It's easy for the Fed to subpoena all emails, communications, and meetings of these people. It'll be easy to show the breach notice email sent to them, their replies, meeting agenda/attendees, and conference calls with their numbers.

In these days of electronic work environment, there are so many digital footprint one left in the trail.

I assume these are the sneaky execs who can officially claim they haven't opened that email. Individually each one thinks they probably have a chance o fooling the jury. I wonder how admissible the evidence that all 4 of them sold in the same time frame. Because individually (imagine there was only executive) each could argue that their case is just a random coincidence.

That leads into willful blindness territory, where unreasonable ignorance equates to knowledge: if there's no way you couldn't have known something without contriving a way not to know it, then you knew, in broad strokes at least, what you were trying not to know. That's how the law sees it.

Right. Sadly I think they are very likely going to get away with it.

They are almost certainly the kind of folks who planned this out and if there isn't any proof of knowledge, then there just isn't any. But it does seem inconceivable that they would have no knowledge of the event.

[IANAL] There's no trial yet, so it's about proving probable cause to go before a grand jury for an indictment.

The funny part here is that their defense seems to be, "no really we had no idea".

Which may get them off the insider trading charge, but opens them up to one hell of a shareholder lawsuit.

Maybe it's already been noted here, but I'm wondering about stock purchases. For instance, with the advanced knowledge in hand, did anyone with that information purchase a large amount of shares in, say, LifeLock or another such company?

These executives should volunteer to only accept from their sale of stock the value of that stock, 1 year from the date of their sale.

The excess capital, if the stock has not recovered, should be given to non profit charities that support victims of identity fraud.

As obvious as these sales look like insider trading, I wonder if the execs are that ignorant and or greedy, or if this is truly a case of bad timing of large sales...

I wonder if, in an ironic twist, they try to play the ignorance card and use the breach itself as proof.

"Of course we were ignorant of the breach, we're really just not on top of things, I mean, look at how we got into this situation, and how we handled it! Does that sound like competence to you? Of course not!"

That would be a risky defense because while they may get off on the insider trading charge, they would open themselves up to a huge shareholder lawsuit.

I can believe they kept this pretty quiet inside the company while they figured it out... but I have a really hard time believing the CFO was out of the loop.

As it should be. That was the definition of insider trading.

Martha Stewart insider traded with a far much less amount and went to jail afterward. These Equifax people need to go to jail.

She went to jail for lying to Federal investigators about the stock sale. It's impressively difficult to convict and jail people for insider trading.

Martha Stewart did not go to jail for insider trading.

I know it's about her lying to the Fed, and what are these people doing now with the Fed? Unless they taking the 5th, they are lying.

Here's a link to the video interview from CISO Susan Mauldin in 2016 that was erased from YouTube a few days ago, on September 10 after it was first reported:


The HN thread that found another copy:


The first story that I saw breaking this interview, drawing attention to this story before it was wiped out by "user":


I'm reposting this information, there's nothing earth shattering for me in the interview but I smell a coverup (I hope it doesn't sound controversial when I say this, it appears to be that material information has been wiped off the public record during an investigation, and that's a coverup! Not mincing words.) This has hardly been covered at all, so I'm going to mention it again. I figure the story probably isn't going away anytime soon.

I think it's criminal (possibly quite literally) that this information is being suppressed by whoever has taken the original interviews down. It should be a case study, we should all watch it. I want to hear more from Susan Mauldin, but the appearance is they want her to disappear.

I am interested in the stock sales too, but I would like it to be a thing, where we all can learn from what has happened and fix our issues to be better at this kind of thing. There are obviously technical and greedological issues that own some blame, but let's not be hasty and sweep the cultural issues under the rug. (There was a second interview from that day, which to my knowledge has not been recovered yet.)

I'd like to be charitable and say that CISO Susan Mauldin did nothing wrong, but it's hard for me to make that argument seriously without more data and I don't hear anyone calling for her to testify in front of Congress yet. Maybe they'd like us to forget she was ever involved in the company, that just makes me want to know more and it should you too, if you've been following the story (but who could blame you for not knowing, just look what they're doing!)

Not to be pessimistic, but I'm surprised that anyone even being considered for insider trading, it's legal for Congress to do it, why shouldn't rich people be able to do it? It will probably end up the same way as the credit default swaps, rich people trying to flip houses, banks selling shady packages to the middle class, and the US taxpayer providing a bailout and poor people getting the blame. The idea of justice or consumer protection in the US is a joke.

Oh, yeah that's the real crime. Give them 6 months in jail.

(USA can chew gum and walk at the same time, but where is the probe for the breach...? 143 million people terrorized and most likely thousands will have their life turned upside down because of it.)

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact